CVE-2009-1883

2009-09-18T06:30:00

ID CVE-2009-1883Type cveReporter NVDModified 2017-09-28T21:34:37

Description

The z90crypt_unlocked_ioctl function in the z90crypt driver in the Linux kernel 2.6.9 does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage.

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017

{"result": {"seebug": [{"id": "SSV:12370", "type": "seebug", "title": "Linux Kernel z90crypt\u9a71\u52a8\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "description": "CVE ID: CVE-2009-1883\r\n\r\nLinux Kernel\u662f\u5f00\u653e\u6e90\u7801\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\nLinux Kernel\u7684z90crypt\u9a71\u52a8\u4e2d\u7684z90crypt_unlocked_ioctl\u51fd\u6570\u6ca1\u6709\u5bf9Z90QUIESCE\u64cd\u4f5c\u6267\u884c\u6743\u9650\u68c0\u67e5\uff0c\u8fd9\u53ef\u80fd\u5141\u8bb8\u62e5\u6709\u6709\u6548\u7528\u6237ID\uff08euid\uff09\u4e3a0\u7684\u672c\u5730\u7528\u6237\u7ed5\u8fc7\u9884\u671f\u7684\u529f\u80fd\u9650\u5236\uff0c\u6267\u884c\u975e\u6388\u6743\u64cd\u4f5c\u3002\n\nLinux kernel 2.6.9\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nRedHat\r\n------\r\nRedHat\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08RHSA-2009:1438-01\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nRHSA-2009:1438-01\uff1aImportant: kernel security and bug fix update\r\n\u94fe\u63a5\uff1ahttps://www.redhat.com/support/errata/RHSA-2009-1438.html", "published": "2009-09-22T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-12370", "cvelist": ["CVE-2009-1883"], "lastseen": "2017-11-19T18:35:43"}], "oraclelinux": [{"id": "ELSA-2009-1438", "type": "oraclelinux", "title": "kernel security and bug fix update", "description": "[2.6.9-89.0.11.0.1.EL]\n- fix skb alignment that was causing sendto() to fail with EFAULT (Olaf Kirch)\n [orabug 6845794]\n fix enomem due to larger mtu size page alloc (Zach Brown) [orabug 5486128]\n- backout patch sysrq-b that queues upto keventd thread (Guru Anbalagane)\n [orabug 6125546]\n- netrx/netpoll race avoidance (Tina Yang) [orabug 6143381]\n- [XEN] Fix elf_core_dump (Tina Yang) [orabug 6995928]\n- use lfence instead of cpuid instruction to implement memory barriers\n (Herbert van den Bergh) [orabug 7452412]\n- add netpoll support to xen netfront (Tina Yang) [orabz 7261]\n- [xen] execshield: fix endless GPF fault loop (Stephen Tweedie) [orabug 7175395]\n- [xen]: port el5u2 patch that allows 64-bit PVHVM guest to boot with 32-bit\n dom0 [orabug 7452107] xenstore\n- [mm] update shrink_zone patch to allow 100% swap utilization (John Sobecki,\n Chris Mason, Chuck Anderson, Dave McCracken) [orabug 7566319,6086839]\n- [kernel] backport report_lost_ticks patch from EL5.2 (John Sobecki)\n [orabug 6110605]\n- [xen] fix for hung JVM thread after #GPF [orabug 7916406] (Chuck Anderson)\n- port EL5U3 patch to adjust totalhigh_pages in the balloon driver [orabug 8300888]\n- check to see if hypervisor supports memory reservation change (Chuck Anderson) [orabug7556514]\n- [XEN] use hypercall to fixmap pte updates (Mukesh Rathor) [orabug 8433329]\n- [XEN] Extend physical mask to 40bit for machine above 64G [orabug 8312526]\n[2.6.9-89.0.11]\n-execve: must clear current->clear_child_tid (Oleg Nesterov) [515427 515428] {CVE-2009-2848}\n-kernel: fix information leak in do_sigaltstack() (Vitaly Mayatskikh) [515394 515395] {CVE-2009-2847}\n-build with fno-delete-null-pointer-checks (Danny Feng) [517964 511183]\n-lpfc: update emulex lpfc driver to 8.0.16.47 with memory leak fix (Rob Evers) [513192 507680]\n-mpt fusion: fix typo in mpt fusion makefile (Tomas Henzl) [516184 496120]\n-implement mmap_min_addr infrastructure (Vitaly Mayatskikh) [517904 512641]\n-kernel: personality handling: fix per_clear_on_setid (Vitaly Mayatskikh) [511172 508843] {CVE-2009-1895}\n-megaraid: fix megaraid SAS tape input/output errors on mt_erase (Tomas Henzl) [517965 504080]\n-kernel: missing capability check in z90crypt (Hans-Joachim Picht) [505985 505986] {CVE-2009-1883}\n-qla2xxx: fix hang when using management tools (Marcus Barrow) [519428 503489]\n-kernel: random: make get_random_int more random (Amerigo Wang) [519692 499785]\n-fix __ptrace_unlink and zap_threads interaction (Oleg Nesterov) [519446 506875]\n-fix soft lockups due to infinite loops in posix_locks_deadlock (Amerigo Wang) [519429 504279]\n[2.6.9-89.0.10]\n-mptscsi: missing mptscsi raid1 disk causes kernel panic when rebooted before array rebuild (Rob Evers) [517295 507864]\n-writeback: work around problems with persistent inode->dirtied_when values (Jeff Layton) [515255 477784]\n-mthca: don't try to kmalloc large allocations (Doug Ledford) [518707 510395] ", "published": "2009-09-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2009-1438.html", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2016-09-04T11:16:46"}], "nessus": [{"id": "ORACLELINUX_ELSA-2009-1438.NASL", "type": "nessus", "title": "Oracle Linux 4 : kernel (ELSA-2009-1438)", "description": "From Red Hat Security Advisory 2009:1438 :\n\nUpdated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.\n(CVE-2009-1895, Important)\n\n* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)\n\n* Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions. (CVE-2009-1883, Moderate)\n\n* a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak.\n(CVE-2009-2847, Moderate)\n\nThis update also fixes the following bugs :\n\n* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#517964)\n\n* the Emulex LPFC driver has been updated to version 8.0.16.47, which fixes a memory leak that caused memory allocation failures and system hangs. (BZ#513192)\n\n* an error in the MPT Fusion driver makefile caused CSMI ioctls to not work with Serial Attached SCSI devices. (BZ#516184)\n\n* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer deference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#517904)\n\n* time-outs resulted in I/O errors being logged to '/var/log/messages' when running 'mt erase' on tape drives using certain LSI MegaRAID SAS adapters, preventing the command from completing. The megaraid_sas driver's timeout value is now set to the OS layer value. (BZ#517965)\n\n* a locking issue caused the qla2xxx ioctl module to hang after encountering errors. This locking issue has been corrected. This ioctl module is used by the QLogic SAN management tools, such as SANsurfer and scli. (BZ#519428)\n\n* when a RAID 1 array that uses the mptscsi driver and the LSI 1030 controller became degraded, the whole array was detected as being offline, which could cause kernel panics at boot or data loss.\n(BZ#517295)\n\n* on 32-bit architectures, if a file was held open and frequently written for more than 25 days, it was possible that the kernel would stop flushing those writes to storage. (BZ#515255)\n\n* a memory allocation bug in ib_mthca prevented the driver from loading if it was loaded with large values for the 'num_mpt=' and 'num_mtt=' options. (BZ#518707)\n\n* with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#519692)\n\n* a bug in __ptrace_unlink() caused it to create deadlocked and unkillable processes. (BZ#519446)\n\n* previously, multiple threads using the fcntl() F_SETLK command to synchronize file access caused a deadlock in posix_locks_deadlock().\nThis could cause a system hang. (BZ#519429)\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=67925", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2017-10-29T13:36:02"}, {"id": "REDHAT-RHSA-2009-1438.NASL", "type": "nessus", "title": "RHEL 4 : kernel (RHSA-2009:1438)", "description": "Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.\n(CVE-2009-1895, Important)\n\n* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)\n\n* Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions. (CVE-2009-1883, Moderate)\n\n* a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak.\n(CVE-2009-2847, Moderate)\n\nThis update also fixes the following bugs :\n\n* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#517964)\n\n* the Emulex LPFC driver has been updated to version 8.0.16.47, which fixes a memory leak that caused memory allocation failures and system hangs. (BZ#513192)\n\n* an error in the MPT Fusion driver makefile caused CSMI ioctls to not work with Serial Attached SCSI devices. (BZ#516184)\n\n* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer deference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#517904)\n\n* time-outs resulted in I/O errors being logged to '/var/log/messages' when running 'mt erase' on tape drives using certain LSI MegaRAID SAS adapters, preventing the command from completing. The megaraid_sas driver's timeout value is now set to the OS layer value. (BZ#517965)\n\n* a locking issue caused the qla2xxx ioctl module to hang after encountering errors. This locking issue has been corrected. This ioctl module is used by the QLogic SAN management tools, such as SANsurfer and scli. (BZ#519428)\n\n* when a RAID 1 array that uses the mptscsi driver and the LSI 1030 controller became degraded, the whole array was detected as being offline, which could cause kernel panics at boot or data loss.\n(BZ#517295)\n\n* on 32-bit architectures, if a file was held open and frequently written for more than 25 days, it was possible that the kernel would stop flushing those writes to storage. (BZ#515255)\n\n* a memory allocation bug in ib_mthca prevented the driver from loading if it was loaded with large values for the 'num_mpt=' and 'num_mtt=' options. (BZ#518707)\n\n* with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#519692)\n\n* a bug in __ptrace_unlink() caused it to create deadlocked and unkillable processes. (BZ#519446)\n\n* previously, multiple threads using the fcntl() F_SETLK command to synchronize file access caused a deadlock in posix_locks_deadlock().\nThis could cause a system hang. (BZ#519429)\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2009-09-16T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=40998", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2017-10-29T13:35:49"}, {"id": "CENTOS_RHSA-2009-1438.NASL", "type": "nessus", "title": "CentOS 4 : kernel (CESA-2009:1438)", "description": "Updated kernel packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nThis update fixes the following security issues :\n\n* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a setuid or setgid program was executed. A local, unprivileged user could use this flaw to bypass the mmap_min_addr protection mechanism and perform a NULL pointer dereference attack, or bypass the Address Space Layout Randomization (ASLR) security feature.\n(CVE-2009-1895, Important)\n\n* it was discovered that, when executing a new process, the clear_child_tid pointer in the Linux kernel is not cleared. If this pointer points to a writable portion of the memory of the new program, the kernel could corrupt four bytes of memory, possibly leading to a local denial of service or privilege escalation. (CVE-2009-2848, Important)\n\n* Solar Designer reported a missing capability check in the z90crypt driver in the Linux kernel. This missing check could allow a local user with an effective user ID (euid) of 0 to bypass intended capability restrictions. (CVE-2009-1883, Moderate)\n\n* a flaw was found in the way the do_sigaltstack() function in the Linux kernel copies the stack_t structure to user-space. On 64-bit machines, this flaw could lead to a four-byte information leak.\n(CVE-2009-2847, Moderate)\n\nThis update also fixes the following bugs :\n\n* the gcc flag '-fno-delete-null-pointer-checks' was added to the kernel build options. This prevents gcc from optimizing out NULL pointer checks after the first use of a pointer. NULL pointer bugs are often exploited by attackers. Keeping these checks is a safety measure. (BZ#517964)\n\n* the Emulex LPFC driver has been updated to version 8.0.16.47, which fixes a memory leak that caused memory allocation failures and system hangs. (BZ#513192)\n\n* an error in the MPT Fusion driver makefile caused CSMI ioctls to not work with Serial Attached SCSI devices. (BZ#516184)\n\n* this update adds the mmap_min_addr tunable and restriction checks to help prevent unprivileged users from creating new memory mappings below the minimum address. This can help prevent the exploitation of NULL pointer deference bugs. Note that mmap_min_addr is set to zero (disabled) by default for backwards compatibility. (BZ#517904)\n\n* time-outs resulted in I/O errors being logged to '/var/log/messages' when running 'mt erase' on tape drives using certain LSI MegaRAID SAS adapters, preventing the command from completing. The megaraid_sas driver's timeout value is now set to the OS layer value. (BZ#517965)\n\n* a locking issue caused the qla2xxx ioctl module to hang after encountering errors. This locking issue has been corrected. This ioctl module is used by the QLogic SAN management tools, such as SANsurfer and scli. (BZ#519428)\n\n* when a RAID 1 array that uses the mptscsi driver and the LSI 1030 controller became degraded, the whole array was detected as being offline, which could cause kernel panics at boot or data loss.\n(BZ#517295)\n\n* on 32-bit architectures, if a file was held open and frequently written for more than 25 days, it was possible that the kernel would stop flushing those writes to storage. (BZ#515255)\n\n* a memory allocation bug in ib_mthca prevented the driver from loading if it was loaded with large values for the 'num_mpt=' and 'num_mtt=' options. (BZ#518707)\n\n* with this update, get_random_int() is more random and no longer uses a common seed value, reducing the possibility of predicting the values returned. (BZ#519692)\n\n* a bug in __ptrace_unlink() caused it to create deadlocked and unkillable processes. (BZ#519446)\n\n* previously, multiple threads using the fcntl() F_SETLK command to synchronize file access caused a deadlock in posix_locks_deadlock().\nThis could cause a system hang. (BZ#519429)\n\nUsers should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.", "published": "2010-01-06T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=43790", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2017-10-29T13:43:34"}, {"id": "SUSE9_12578.NASL", "type": "nessus", "title": "SuSE9 Security Update : the Linux kernel (YOU Patch Number 12578)", "description": "This update fixes various security issues and some bugs in the SUSE Linux Enterprise 9 kernel.\n\n - The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. (CVE-2009-4005)\n\n - Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080)\n\n - Missing CAP_NET_ADMIN checks in the ebtables netfilter code might have allowed local attackers to modify bridge firewall settings. (CVE-2010-0007)\n\n - drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. (CVE-2009-4536)\n\n - The dbg_lvl file for the megaraid_sas driver in the Linux kernel has world-writable permissions, which allows local users to change the (1) behavior and (2) logging level of the driver by modifying this file.\n (CVE-2009-3889)\n\n - The z90crypt_unlocked_ioctl function in the z90crypt driver in the Linux kernel does not perform a capability check for the Z90QUIESCE operation, which allows local users to leverage euid 0 privileges to force a driver outage. (CVE-2009-1883)\n\n - Memory leak in the appletalk subsystem in the Linux kernel, when the appletalk and ipddp modules are loaded but the ipddp'N' device is not found, allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams. (CVE-2009-2903)\n\n - net/1/af_unix.c in the Linux kernel allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. (CVE-2009-3621)\n\n - The ATI Rage 128 (aka r128) driver in the Linux kernel does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620)", "published": "2010-02-18T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44654", "cvelist": ["CVE-2010-0007", "CVE-2009-3621", "CVE-2009-1883", "CVE-2009-4005", "CVE-2009-3080", "CVE-2009-3620", "CVE-2009-4536", "CVE-2009-2903", "CVE-2009-3889"], "lastseen": "2017-10-29T13:41:27"}, {"id": "DEBIAN_DSA-1929.NASL", "type": "nessus", "title": "Debian DSA-1929-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2009-1883 Solar Designer discovered a missing capability check in the z90crypt driver or s390 systems. This vulnerability may allow a local user to gain elevated privileges.\n\n - CVE-2009-2909 Arjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops).\n\n - CVE-2009-3001 Jiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue.\n\n - CVE-2009-3002 Eric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory.\n\n - CVE-2009-3228 Eric Dumazet reported an instance of uninitialized kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory.\n\n - CVE-2009-3238 Linus Torvalds provided a change to the get_random_int() function to increase its randomness.\n\n - CVE-2009-3286 Eric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users.\n\n - CVE-2009-3547 Earl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges.\n\n - CVE-2009-3612 Jiri Pirko discovered a typo in the initialization of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory.\n\n - CVE-2009-3621 Tomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service (system hang).", "published": "2010-02-24T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44794", "cvelist": ["CVE-2009-3621", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-3001", "CVE-2009-3547", "CVE-2009-3002", "CVE-2009-2909", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3612"], "lastseen": "2017-10-29T13:33:37"}, {"id": "UBUNTU_USN-852-1.NASL", "type": "nessus", "title": "Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-852-1)", "description": "Solar Designer discovered that the z90crypt driver did not correctly check capabilities. A local attacker could exploit this to shut down the device, leading to a denial of service. Only affected Ubuntu 6.06.\n(CVE-2009-1883)\n\nMichael Buesch discovered that the SGI GRU driver did not correctly check the length when setting options. A local attacker could exploit this to write to the kernel stack, leading to root privilege escalation or a denial of service. Only affected Ubuntu 8.10 and 9.04.\n(CVE-2009-2584)\n\nIt was discovered that SELinux did not fully implement the mmap_min_addr restrictions. A local attacker could exploit this to allocate the NULL memory page which could lead to further attacks against kernel NULL-dereference vulnerabilities. Ubuntu 6.06 was not affected. (CVE-2009-2695)\n\nCagri Coltekin discovered that the UDP stack did not correctly handle certain flags. A local user could send specially crafted commands and traffic to gain root privileges or crash the systeam, leading to a denial of service. Only affected Ubuntu 6.06. (CVE-2009-2698)\n\nHiroshi Shimamoto discovered that monotonic timers did not correctly validate parameters. A local user could make a specially crafted timer request to gain root privileges or crash the system, leading to a denial of service. Only affected Ubuntu 9.04. (CVE-2009-2767)\n\nMichael Buesch discovered that the HPPA ISA EEPROM driver did not correctly validate positions. A local user could make a specially crafted request to gain root privileges or crash the system, leading to a denial of service. (CVE-2009-2846)\n\nUlrich Drepper discovered that kernel signal stacks were not being correctly padded on 64-bit systems. A local attacker could send specially crafted calls to expose 4 bytes of kernel stack memory, leading to a loss of privacy. (CVE-2009-2847)\n\nJens Rosenboom discovered that the clone method did not correctly clear certain fields. A local attacker could exploit this to gain privileges or crash the system, leading to a denial of service.\n(CVE-2009-2848)\n\nIt was discovered that the MD driver did not check certain sysfs files. A local attacker with write access to /sys could exploit this to cause a system crash, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-2849)\n\nMark Smith discovered that the AppleTalk stack did not correctly manage memory. A remote attacker could send specially crafted traffic to cause the system to consume all available memory, leading to a denial of service. (CVE-2009-2903)\n\nLoic Minier discovered that eCryptfs did not correctly handle writing to certain deleted files. A local attacker could exploit this to gain root privileges or crash the system, leading to a denial of service.\nUbuntu 6.06 was not affected. (CVE-2009-2908)\n\nIt was discovered that the LLC, AppleTalk, IR, EConet, Netrom, and ROSE network stacks did not correctly initialize their data structures. A local attacker could make specially crafted calls to read kernel memory, leading to a loss of privacy. (CVE-2009-3001, CVE-2009-3002)\n\nIt was discovered that the randomization used for Address Space Layout Randomization was predictable within a small window of time. A local attacker could exploit this to leverage further attacks that require knowledge of userspace memory layouts. (CVE-2009-3238)\n\nEric Paris discovered that NFSv4 did not correctly handle file creation failures. An attacker with write access to an NFSv4 share could exploit this to create files with arbitrary mode bits, leading to privilege escalation or a loss of privacy. (CVE-2009-3286)\n\nBob Tracy discovered that the SCSI generic driver did not correctly use the right index for array access. A local attacker with write access to a CDR could exploit this to crash the system, leading to a denial of service. Only Ubuntu 9.04 was affected. (CVE-2009-3288)\n\nJan Kiszka discovered that KVM did not correctly validate certain hypercalls. A local unprivileged attacker in a virtual guest could exploit this to crash the guest kernel, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-3290).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-10-22T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=42209", "cvelist": ["CVE-2009-2846", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-2698", "CVE-2009-3001", "CVE-2009-2767", "CVE-2009-2584", "CVE-2009-3290", "CVE-2009-3288", "CVE-2009-3002", "CVE-2009-2908", "CVE-2009-2848", "CVE-2009-2903", "CVE-2009-3286", "CVE-2009-2695", "CVE-2009-2847", "CVE-2009-2849"], "lastseen": "2017-10-29T13:46:11"}], "openvas": [{"id": "OPENVAS:64940", "type": "openvas", "title": "CentOS Security Advisory CESA-2009:1438 (kernel)", "description": "The remote host is missing updates to kernel announced in\nadvisory CESA-2009:1438.", "published": "2009-09-21T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64940", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2017-07-25T10:56:17"}, {"id": "OPENVAS:880935", "type": "openvas", "title": "CentOS Update for kernel CESA-2009:1438 centos4 i386", "description": "Check for the Version of kernel", "published": "2011-08-09T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=880935", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2017-07-25T10:55:41"}, {"id": "OPENVAS:64835", "type": "openvas", "title": "RedHat Security Advisory RHSA-2009:1438", "description": "The remote host is missing updates to the Linux kernel announced in\nadvisory RHSA-2009:1438.\n\nThis update fixes the following security issues:\n\n* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a\nsetuid or setgid program was executed. A local, unprivileged user could use\nthis flaw to bypass the mmap_min_addr protection mechanism and perform a\nNULL pointer dereference attack, or bypass the Address Space Layout\nRandomization (ASLR) security feature. (CVE-2009-1895, Important)\n\n* it was discovered that, when executing a new process, the clear_child_tid\npointer in the Linux kernel is not cleared. If this pointer points to a\nwritable portion of the memory of the new program, the kernel could corrupt\nfour bytes of memory, possibly leading to a local denial of service or\nprivilege escalation. (CVE-2009-2848, Important)\n\n* Solar Designer reported a missing capability check in the z90crypt driver\nin the Linux kernel. This missing check could allow a local user with an\neffective user ID (euid) of 0 to bypass intended capability restrictions.\n(CVE-2009-1883, Moderate)\n\n* a flaw was found in the way the do_sigaltstack() function in the Linux\nkernel copies the stack_t structure to user-space. On 64-bit machines, this\nflaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate)", "published": "2009-09-15T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64835", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2017-07-27T10:56:36"}, {"id": "OPENVAS:66209", "type": "openvas", "title": "Debian Security Advisory DSA 1929-1 (linux-2.6)", "description": "The remote host is missing an update to linux-2.6\nannounced via advisory DSA 1929-1.", "published": "2009-11-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=66209", "cvelist": ["CVE-2009-3621", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-3001", "CVE-2009-3547", "CVE-2009-3002", "CVE-2009-2909", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3612"], "lastseen": "2017-07-24T12:57:02"}], "centos": [{"id": "CESA-2009:1438", "type": "centos", "title": "kernel security update", "description": "**CentOS Errata and Security Advisory** CESA-2009:1438\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues:\n\n* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a\nsetuid or setgid program was executed. A local, unprivileged user could use\nthis flaw to bypass the mmap_min_addr protection mechanism and perform a\nNULL pointer dereference attack, or bypass the Address Space Layout\nRandomization (ASLR) security feature. (CVE-2009-1895, Important)\n\n* it was discovered that, when executing a new process, the clear_child_tid\npointer in the Linux kernel is not cleared. If this pointer points to a\nwritable portion of the memory of the new program, the kernel could corrupt\nfour bytes of memory, possibly leading to a local denial of service or\nprivilege escalation. (CVE-2009-2848, Important)\n\n* Solar Designer reported a missing capability check in the z90crypt driver\nin the Linux kernel. This missing check could allow a local user with an\neffective user ID (euid) of 0 to bypass intended capability restrictions.\n(CVE-2009-1883, Moderate)\n\n* a flaw was found in the way the do_sigaltstack() function in the Linux\nkernel copies the stack_t structure to user-space. On 64-bit machines, this\nflaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate)\n\nThis update also fixes the following bugs:\n\n* the gcc flag \"-fno-delete-null-pointer-checks\" was added to the kernel\nbuild options. This prevents gcc from optimizing out NULL pointer checks\nafter the first use of a pointer. NULL pointer bugs are often exploited by\nattackers. Keeping these checks is a safety measure. (BZ#517964)\n\n* the Emulex LPFC driver has been updated to version 8.0.16.47, which\nfixes a memory leak that caused memory allocation failures and system\nhangs. (BZ#513192)\n\n* an error in the MPT Fusion driver makefile caused CSMI ioctls to not\nwork with Serial Attached SCSI devices. (BZ#516184)\n\n* this update adds the mmap_min_addr tunable and restriction checks to help\nprevent unprivileged users from creating new memory mappings below the\nminimum address. This can help prevent the exploitation of NULL pointer\ndeference bugs. Note that mmap_min_addr is set to zero (disabled) by\ndefault for backwards compatibility. (BZ#517904)\n\n* time-outs resulted in I/O errors being logged to \"/var/log/messages\" when\nrunning \"mt erase\" on tape drives using certain LSI MegaRAID SAS adapters,\npreventing the command from completing. The megaraid_sas driver's timeout\nvalue is now set to the OS layer value. (BZ#517965)\n\n* a locking issue caused the qla2xxx ioctl module to hang after\nencountering errors. This locking issue has been corrected. This ioctl\nmodule is used by the QLogic SAN management tools, such as SANsurfer and\nscli. (BZ#519428)\n\n* when a RAID 1 array that uses the mptscsi driver and the LSI 1030\ncontroller became degraded, the whole array was detected as being offline,\nwhich could cause kernel panics at boot or data loss. (BZ#517295)\n\n* on 32-bit architectures, if a file was held open and frequently written\nfor more than 25 days, it was possible that the kernel would stop flushing\nthose writes to storage. (BZ#515255)\n\n* a memory allocation bug in ib_mthca prevented the driver from loading if\nit was loaded with large values for the \"num_mpt=\" and \"num_mtt=\" options.\n(BZ#518707)\n\n* with this update, get_random_int() is more random and no longer uses a\ncommon seed value, reducing the possibility of predicting the values\nreturned. (BZ#519692)\n\n* a bug in __ptrace_unlink() caused it to create deadlocked and unkillable\nprocesses. (BZ#519446)\n\n* previously, multiple threads using the fcntl() F_SETLK command to\nsynchronize file access caused a deadlock in posix_locks_deadlock(). This\ncould cause a system hang. (BZ#519429)\n\nUsers should upgrade to these updated packages, which contain backported\npatches to correct these issues. The system must be rebooted for this\nupdate to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2009-September/016165.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-September/016166.html\n\n**Affected packages:**\nkernel\nkernel-devel\nkernel-doc\nkernel-hugemem\nkernel-hugemem-devel\nkernel-largesmp\nkernel-largesmp-devel\nkernel-smp\nkernel-smp-devel\nkernel-xenU\nkernel-xenU-devel\n\n**Upstream details at:**\n", "published": "2009-09-16T04:38:30", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2009-September/016165.html", "cvelist": ["CVE-2009-1895", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-2848", "CVE-2009-2847"], "lastseen": "2017-10-12T14:46:30"}], "redhat": [{"id": "RHSA-2009:1438", "type": "redhat", "title": "(RHSA-2009:1438) Important: kernel security and bug fix update", "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update fixes the following security issues:\n\n* the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a\nsetuid or setgid program was executed. A local, unprivileged user could use\nthis flaw to bypass the mmap_min_addr protection mechanism and perform a\nNULL pointer dereference attack, or bypass the Address Space Layout\nRandomization (ASLR) security feature. (CVE-2009-1895, Important)\n\n* it was discovered that, when executing a new process, the clear_child_tid\npointer in the Linux kernel is not cleared. If this pointer points to a\nwritable portion of the memory of the new program, the kernel could corrupt\nfour bytes of memory, possibly leading to a local denial of service or\nprivilege escalation. (CVE-2009-2848, Important)\n\n* Solar Designer reported a missing capability check in the z90crypt driver\nin the Linux kernel. This missing check could allow a local user with an\neffective user ID (euid) of 0 to bypass intended capability restrictions.\n(CVE-2009-1883, Moderate)\n\n* a flaw was found in the way the do_sigaltstack() function in the Linux\nkernel copies the stack_t structure to user-space. On 64-bit machines, this\nflaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate)\n\nThis update also fixes the following bugs:\n\n* the gcc flag \"-fno-delete-null-pointer-checks\" was added to the kernel\nbuild options. This prevents gcc from optimizing out NULL pointer checks\nafter the first use of a pointer. NULL pointer bugs are often exploited by\nattackers. Keeping these checks is a safety measure. (BZ#517964)\n\n* the Emulex LPFC driver has been updated to version 8.0.16.47, which\nfixes a memory leak that caused memory allocation failures and system\nhangs. (BZ#513192)\n\n* an error in the MPT Fusion driver makefile caused CSMI ioctls to not\nwork with Serial Attached SCSI devices. (BZ#516184)\n\n* this update adds the mmap_min_addr tunable and restriction checks to help\nprevent unprivileged users from creating new memory mappings below the\nminimum address. This can help prevent the exploitation of NULL pointer\ndeference bugs. Note that mmap_min_addr is set to zero (disabled) by\ndefault for backwards compatibility. (BZ#517904)\n\n* time-outs resulted in I/O errors being logged to \"/var/log/messages\" when\nrunning \"mt erase\" on tape drives using certain LSI MegaRAID SAS adapters,\npreventing the command from completing. The megaraid_sas driver's timeout\nvalue is now set to the OS layer value. (BZ#517965)\n\n* a locking issue caused the qla2xxx ioctl module to hang after\nencountering errors. This locking issue has been corrected. This ioctl\nmodule is used by the QLogic SAN management tools, such as SANsurfer and\nscli. (BZ#519428)\n\n* when a RAID 1 array that uses the mptscsi driver and the LSI 1030\ncontroller became degraded, the whole array was detected as being offline,\nwhich could cause kernel panics at boot or data loss. (BZ#517295)\n\n* on 32-bit architectures, if a file was held open and frequently written\nfor more than 25 days, it was possible that the kernel would stop flushing\nthose writes to storage. (BZ#515255)\n\n* a memory allocation bug in ib_mthca prevented the driver from loading if\nit was loaded with large values for the \"num_mpt=\" and \"num_mtt=\" options.\n(BZ#518707)\n\n* with this update, get_random_int() is more random and no longer uses a\ncommon seed value, reducing the possibility of predicting the values\nreturned. (BZ#519692)\n\n* a bug in __ptrace_unlink() caused it to create deadlocked and unkillable\nprocesses. (BZ#519446)\n\n* previously, multiple threads using the fcntl() F_SETLK command to\nsynchronize file access caused a deadlock in posix_locks_deadlock(). This\ncould cause a system hang. (BZ#519429)\n\nUsers should upgrade to these updated packages, which contain backported\npatches to correct these issues. The system must be rebooted for this\nupdate to take effect.", "published": "2009-09-15T04:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2009:1438", "cvelist": ["CVE-2009-1883", "CVE-2009-1895", "CVE-2009-2847", "CVE-2009-2848", "CVE-2009-3238"], "lastseen": "2017-09-09T07:19:42"}], "suse": [{"id": "SUSE-SA:2010:013", "type": "suse", "title": "remote denial of service in kernel", "description": "This update fixes various security issues and some bugs in the SUSE Linux Enterprise 9 kernel.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2010-02-18T21:41:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00007.html", "cvelist": ["CVE-2010-0007", "CVE-2009-3621", "CVE-2009-1883", "CVE-2009-4005", "CVE-2009-3080", "CVE-2009-3620", "CVE-2009-4536", "CVE-2009-2903", "CVE-2009-3889"], "lastseen": "2016-09-04T11:31:52"}], "debian": [{"id": "DSA-1929", "type": "debian", "title": "linux-2.6 -- privilege escalation/denial of service/sensitive memory leak", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, sensitive memory leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2009-1883](<https://security-tracker.debian.org/tracker/CVE-2009-1883>)\n\nSolar Designer discovered a missing capability check in the z90crypt driver or s390 systems. This vulnerability may allow a local user to gain elevated privileges.\n\n * [CVE-2009-2909](<https://security-tracker.debian.org/tracker/CVE-2009-2909>)\n\nArjan van de Ven discovered an issue in the AX.25 protocol implementation. A specially crafted call to setsockopt() can result in a denial of service (kernel oops).\n\n * [CVE-2009-3001](<https://security-tracker.debian.org/tracker/CVE-2009-3001>)\n\nJiri Slaby fixed a sensitive memory leak issue in the ANSI/IEEE 802.2 LLC implementation. This is not exploitable in the Debian lenny kernel as root privileges are required to exploit this issue.\n\n * [CVE-2009-3002](<https://security-tracker.debian.org/tracker/CVE-2009-3002>)\n\nEric Dumazet fixed several sensitive memory leaks in the IrDA, X.25 PLP (Rose), NET/ROM, Acorn Econet/AUN, and Controller Area Network (CAN) implementations. Local users can exploit these issues to gain access to kernel memory.\n\n * [CVE-2009-3228](<https://security-tracker.debian.org/tracker/CVE-2009-3228>)\n\nEric Dumazet reported an instance of uninitialized kernel memory in the network packet scheduler. Local users may be able to exploit this issue to read the contents of sensitive kernel memory.\n\n * [CVE-2009-3238](<https://security-tracker.debian.org/tracker/CVE-2009-3238>)\n\nLinus Torvalds provided a change to the get_random_int() function to increase its randomness.\n\n * [CVE-2009-3286](<https://security-tracker.debian.org/tracker/CVE-2009-3286>)\n\nEric Paris discovered an issue with the NFSv4 server implementation. When an O_EXCL create fails, files may be left with corrupted permissions, possibly granting unintentional privileges to other local users.\n\n * [CVE-2009-3547](<https://security-tracker.debian.org/tracker/CVE-2009-3547>)\n\nEarl Chew discovered a NULL pointer dereference issue in the pipe_rdwr_open function which can be used by local users to gain elevated privileges.\n\n * [CVE-2009-3612](<https://security-tracker.debian.org/tracker/CVE-2009-3612>)\n\nJiri Pirko discovered a typo in the initialization of a structure in the netlink subsystem that may allow local users to gain access to sensitive kernel memory.\n\n * [CVE-2009-3621](<https://security-tracker.debian.org/tracker/CVE-2009-3621>)\n\nTomoki Sekiyama discovered a deadlock condition in the UNIX domain socket implementation. Local users can exploit this vulnerability to cause a denial of service (system hang).\n\nFor the oldstable distribution (etch), this problem has been fixed in version 2.6.18.dfsg.1-26etch1.\n\nWe recommend that you upgrade your linux-2.6, fai-kernels, and user-mode-linux packages.\n\nNote: Debian 'etch' includes linux kernel packages based upon both the 2.6.18 and 2.6.24 linux releases. All known security issues are carefully tracked against both packages and both packages will receive security updates until security support for Debian 'etch' concludes. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, lower severity 2.6.18 and 2.6.24 updates will typically release in a staggered or \"leap-frog\" fashion.\n\nThe following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update:\n\n| Debian 4.0 (etch) \n---|--- \nfai-kernels | 1.17+etch.26etch1 \nuser-mode-linux | 2.6.18-1um-2etch.26etch1", "published": "2009-11-05T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://www.debian.org/security/dsa-1929", "cvelist": ["CVE-2009-3621", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-3001", "CVE-2009-3547", "CVE-2009-3002", "CVE-2009-2909", "CVE-2009-3228", "CVE-2009-3286", "CVE-2009-3612"], "lastseen": "2016-09-02T18:33:44"}], "ubuntu": [{"id": "USN-852-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Solar Designer discovered that the z90crypt driver did not correctly \ncheck capabilities. A local attacker could exploit this to shut down \nthe device, leading to a denial of service. Only affected Ubuntu 6.06. \n([CVE-2009-1883](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-1883>))\n\nMichael Buesch discovered that the SGI GRU driver did not correctly check \nthe length when setting options. A local attacker could exploit this \nto write to the kernel stack, leading to root privilege escalation or \na denial of service. Only affected Ubuntu 8.10 and 9.04. ([CVE-2009-2584](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2584>))\n\nIt was discovered that SELinux did not fully implement the mmap_min_addr \nrestrictions. A local attacker could exploit this to allocate the \nNULL memory page which could lead to further attacks against kernel \nNULL-dereference vulnerabilities. Ubuntu 6.06 was not affected. \n([CVE-2009-2695](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2695>))\n\nCagri Coltekin discovered that the UDP stack did not correctly handle \ncertain flags. A local user could send specially crafted commands and \ntraffic to gain root privileges or crash the systeam, leading to a denial \nof service. Only affected Ubuntu 6.06. ([CVE-2009-2698](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2698>))\n\nHiroshi Shimamoto discovered that monotonic timers did not correctly \nvalidate parameters. A local user could make a specially crafted timer \nrequest to gain root privileges or crash the system, leading to a denial \nof service. Only affected Ubuntu 9.04. ([CVE-2009-2767](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2767>))\n\nMichael Buesch discovered that the HPPA ISA EEPROM driver did not \ncorrectly validate positions. A local user could make a specially crafted \nrequest to gain root privileges or crash the system, leading to a denial \nof service. ([CVE-2009-2846](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2846>))\n\nUlrich Drepper discovered that kernel signal stacks were not being \ncorrectly padded on 64-bit systems. A local attacker could send specially \ncrafted calls to expose 4 bytes of kernel stack memory, leading to a \nloss of privacy. ([CVE-2009-2847](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2847>))\n\nJens Rosenboom discovered that the clone method did not correctly clear \ncertain fields. A local attacker could exploit this to gain privileges \nor crash the system, leading to a denial of service. ([CVE-2009-2848](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2848>))\n\nIt was discovered that the MD driver did not check certain sysfs files. \nA local attacker with write access to /sys could exploit this to cause \na system crash, leading to a denial of service. Ubuntu 6.06 was not \naffected. ([CVE-2009-2849](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2849>))\n\nMark Smith discovered that the AppleTalk stack did not correctly \nmanage memory. A remote attacker could send specially crafted traffic \nto cause the system to consume all available memory, leading to a denial \nof service. ([CVE-2009-2903](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2903>))\n\nLo\u00efc Minier discovered that eCryptfs did not correctly handle writing \nto certain deleted files. A local attacker could exploit this to gain \nroot privileges or crash the system, leading to a denial of service. \nUbuntu 6.06 was not affected. ([CVE-2009-2908](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-2908>))\n\nIt was discovered that the LLC, AppleTalk, IR, EConet, Netrom, and \nROSE network stacks did not correctly initialize their data structures. \nA local attacker could make specially crafted calls to read kernel memory, \nleading to a loss of privacy. ([CVE-2009-3001](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-3001>), [CVE-2009-3002](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-3002>))\n\nIt was discovered that the randomization used for Address Space Layout \nRandomization was predictable within a small window of time. A local \nattacker could exploit this to leverage further attacks that require \nknowledge of userspace memory layouts. ([CVE-2009-3238](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-3238>))\n\nEric Paris discovered that NFSv4 did not correctly handle file creation \nfailures. An attacker with write access to an NFSv4 share could exploit \nthis to create files with arbitrary mode bits, leading to privilege \nescalation or a loss of privacy. ([CVE-2009-3286](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-3286>))\n\nBob Tracy discovered that the SCSI generic driver did not correctly use \nthe right index for array access. A local attacker with write access \nto a CDR could exploit this to crash the system, leading to a denial \nof service. Only Ubuntu 9.04 was affected. ([CVE-2009-3288](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-3288>))\n\nJan Kiszka discovered that KVM did not correctly validate certain \nhypercalls. A local unprivileged attacker in a virtual guest could exploit \nthis to crash the guest kernel, leading to a denial of service. Ubuntu \n6.06 was not affected. ([CVE-2009-3290](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2009-3290>))", "published": "2009-10-21T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://usn.ubuntu.com/usn/usn-852-1/", "cvelist": ["CVE-2009-2846", "CVE-2009-1883", "CVE-2009-3238", "CVE-2009-2698", "CVE-2009-3001", "CVE-2009-2767", "CVE-2009-2584", "CVE-2009-3290", "CVE-2009-3288", "CVE-2009-3002", "CVE-2009-2908", "CVE-2009-2848", "CVE-2009-2903", "CVE-2009-3286", "CVE-2009-2695", "CVE-2009-2847", "CVE-2009-2849"], "lastseen": "2017-08-09T19:13:27"}]}}